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Abstract — Internet users such as individuals and organizations are 
subject to different types of epidemic risks such as worms, viruses, spams, 
and botnets. To reduce the probability of risk, an Internet user generally 
invests in traditional security mechanisms like anti-virus and anti-spam 
software, sometimes also known as self-defense mechanisms. However, 
according to security experts, such software (and their subsequent 
advancements) will not completely eliminate risk. Recent research efforts 
have considered the problem of residual risk elimination by proposing 
the idea of cyber-insurance. In this regard, an important research 
problem is resolving information asymmetry issues associated with cyber- 
insurance contracts. In this paper we propose three mechanisms to resolve 
information asymmetry in cyber-insurance. Our mechanisms are based 
on the Principal-Agent (PA) model in microeconomic theory. We show 
that (1) optimal cyber-insurance contracts induced by our mechanisms 
only provide partial coverage to the insureds. This ensures greater self- 
defense efforts on the part of the latter to protect their computing 
systems, which in turn increases overall network security, (2) the level 
of deductible per network user contract increases in a concave manner 
with the topological degree of the user, and (3) a market for cyber- 
insurance can be made to exist in the presence of monopolistic insurers 
under effective mechanism design. Our methodology is applicable to any 
distributed network scenario in which a framework for cyber-insurance 
can be implemented. 

Keywords - cyber-insurance, self-defense investments, information 
asymmetry, topological degree, microeconomics 

I. Introduction 

The Internet has become a fundamental and an integral part of our daily 
lives. Billions of people nowadays are using the Internet for various types 
of applications. However, all these applications are running on a network, 
that was built under assumptions, some of which are no longer valid for 
today's applications, e,g., that all users on the Internet can be trusted 
and that there are no malicious elements propagating in the Internet. On 
the contrary, the infrastructure, the users, and the services offered on 
the Internet today are all subject to a wide variety of risks. These risks 
include distributed denial of service attacks, intrusions of various kinds, 
hacking, phishing, worms, viruses, spams, etc. In order to counter the 
threats posed by the risks, Internet userfl have traditionally resorted to 
antivirus and anti-spam softwares, firewalls, and other add-ons to reduce 
the likelihood of being affected by threats. In practice, a large industry 
(companies like Symantec, McAfee, etc.) as well as considerable research 
efforts are currently centered around developing and deploying tools and 
techniques to detect threats and anomalies in order to protect the Internet 
infrastructure and its users from the negative impact of the anomalies. 
However, security experts |4| claim that it is impossible to achieve 
perfect/near-perfect Internet security just via technological advancements. 

A. Why Technological Advancements Aren't Enough? 

In the past one and half decade, risk protection techniques from a 
variety of computer science fields such as cryptography, hardware engi- 
neering, and software engineering have continually made improvements. 
Inspite of such improvements, recent articles by Anderson 1 3 1 1 4 1 1 5 1 have 

'The term 'users' may refer to both, individuals and organizations. The 
network under consideration may be the Internet or any other distributed 
communication network where users have access to the Internet. 



stated that it is impossible to achieve a 100% Internet security protection. 
The authors attribute this impossibility primarily to six reasons: 

1) Existing technical solutions are not sound, i.e., there do not always 
exist fool-proof ways to detect and identify even well dened threats; 
for example, even state of the art detectors of port scanners and 
other known anomalies suffer from positive rates of false positives 
and false negatives 1141 . In addition, the originators of threats, and 
the threats they produce, evolve automatically in response to detec- 
tion and mitigation solutions being deployed, which makes it harder 
to detect and mitigate evolving threat signatures and characteristics 
|36|. Finally, completely eliminating risks would require the use 
of formal methods to design provably secure systems - however, 
these methods capture with difficulty the presence of those messy 
humans, even non malicious humans, in the loop |26|. 

2) The Internet is a distributed system, where the system users have 
divergent security interests and incentives, leading to the problem 
of 'misaligned incentives' amongst users. For example, a rational 
Internet user might well spend $20 to stop a vims trashing its 
hard disk, but would hardly have any incentive to invest sufficient 
amounts in security solutions to prevent its computer being used 
by an attacker for a service-denial attack on a wealthy corporation 
like an Amazon or a Microsoft 1351 . Thus, it is evident that the 
problem of misaligned incentives can be resolved only if liabilities 
are assigned to parties (users) that can best manage risk. 

3) The risks faced by Internet users are often correlated and in- 
terdependent. As a result a user taking protective action in an 
Internet like distributed system creates positive externalities |16| 
for other networked users that in turn may discourage them from 
making appropriate security investments, leading to the 'free- 
riding' problem |9|| 12||24 1|27 1. The free-riding problem leads to 
suboptimal network security. 

4) Network externalities due to lock-in and first-mover effects of 
security software vendors affect the adoption of more advanced 
technology |3|. 

5) Many security software markets have aspects of a lemons market 
(21 or even worse, i.e., by looking at security software, even the 
vendor does not know how secure its software is [5 1. So buyers have 
no reason to pay for more protection, and vendors are disinclined to 
invest time, money, and effort to strengthen their security software 
code. 

B. The Advent of Cyber-insurance 

In view of the above mentioned inevitable barriers to 100% risk 
mitigation, the need arises for alternative methods of risk management 
in the Internet. Anderson and Moore |4| state that microeconomics, 
game theory, and psychology will play as vital a role in effective risk 
management in the modern and future Internet, as did the mathematics 
of cryptography a quarter century ago. In this regard, cyber-insurance is 
a psycho-economic-driven risk-management technique, where risks are 
transferred to a third party, i.e., an insurance company, in return for 
a fee, i.e., the insurance premium. The concept of cyber-insurance is 
growing in importance amongst security engineers. The reason for this 
is three fold: 1) ideally, cyber-insurance increases Internet user safety 
because the insured increases self-defense as a rational response to 



the increase in insurance premium 1 13|| 15||33 ||38|. This fact has also 
been mathematically proven by the authors in |17||20), 2) in the IT 
industry, the mindset of 'absolute protection' is slowly changing with 
the realization that absolute security is impossible and too expensive 
to even approach, while adequate security is good enough to enable 
normal functions - the rest of the risk that cannot be mitigated can 
be transferred to a third party [22], and 3) cyber-insurance will lead 
to a market solution that will be aligned with economic incentives of 
cyber-insurers and users (individuals/organizations) - the cyber-insurers 
will earn profit from appropriately pricing premiums, whereas users will 
seek to hedge potential losses. In practice, users generally employ a 
simultaneous combination of retaining, mitigating, and insuring risks 1 32 1. 

C. Cyber-insurance and Information Asymmetry 

Sufficient evidence exists in daily life (e.g., in the form of auto 
and health insurance) as well as in the academic literature (specif- 
ically focused on cyber-insurance 1 13 || 15|| 17||20||33| that insurance- 
based solutions are useful approaches to pursue, i.e., as a complement 
to other security measures (e.g., anti-virus software). However, despite 
all promises, current cyber-insurance markets are non-competitive, spe- 
cialized, and non-liquid. The inability of cyber-insurance in becoming a 
common reality is due to a number of unresolved research challenges 
as well as practical considerations. The most prominent amongst them 
are information asymmetry between the insurer and the insured, and the 
interdependent and correlated nature of cyber-risks |6||7|. Information 
asymmetry has a significant effect on most insurance environments, and is 
comprised of two components: (i) the inability of the insurer to distinguish 
between users of different (high and low risk) types, i.e., the adverse 
selection problem, and (ii) users undertaking actions (i.e., reckless be- 
havior) that affect loss probability after the insurance contract is signed 
knowing that they would be insured, i.e., the moral hazard problem. In 
the Internet, or as a matter of fact in any distributed communication 
network, some examples of information asymmetry that could arise due 
to (i) insurers lacking vital information regarding applications, software 
products installed by Internet users, and security maintenance habits, 
which correlate to the risk types of users, and (ii) users hiding information 
about their reckless behavioral intentions from their insurers, after they 
get insured, knowing that they would be compensated irrespective of their 
malicious behavior (e.g., accessing malicious websites, being careless 
with security settings, etc.,). This behavior by users affects the overall 
network security strength and might cause financial loss to cyber-insurers. 

D. Our Research Contributions 

In this paper we model realistic, i.e., imperfecQ, single insurer (e.g., 
ISP or a government agency) cyber-insurance markets for distributed 
network environments and jointly address the adverse selection and moral 
hazard problem in cyber-insurance. (See Section III). We design optimal 
cyber-insurance contracts under information asymmetry scenarios. Our 
design mechanisms are based on the Principal-Agent (PA) model, which 
is built upon the theory of mechanism design in microeconomic theory 
1231 (See Section IV). PA modeling is considered a powerful tool 
used in microeconomic theory to tackle situations of information non- 
transparency between economic entities 1231 . As part of our results in 
Section IV, we mathematically show 

1) Optimal cyber-insurance contracts induced by our mechanisms 
only provide partial coverage to the insureds, thereby ensuring 
greater self-defense efforts on the part of the latter to protect their 
computing systems, which in turn increase overall network security. 

2) The level of insurance deductible charged per network user in- 
creases in a concave manner with increase in the topological degree 
of the user. 

3) A market for cyber-insurance can be made to exisQ in the pres- 
ence of monopolistic insurers under effective mechanism design, 

2 A perfect insurance market is one where there is no information asymmetry 
between the cyber-insurer and the insured. 

3 A situation of market equilibrium where both the insurers, as well as their 
clients are well-off with respect to their insurance contracts. 



provided buying insurance is made mandatory for users. This result 
takes a step forward on the result in |25], where the authors 
prove the non-existence of market equilibrium under the absence 
of mechanism design. 

II. Related Work 
In this section we briefly survey existing research work on cyber- 
insurance under the following two categories. 

A. Self-Defense Investments and Cyber-insurance 

The field of cyber-insurance in networked environments has been 
triggered by recent results on the amount of individual user self-defense 
investments in the presence of network externalities. The authors in 
1 9 1 1 1 2 1 1 1 8 1 1 1 9 1 1 24 1 1 27 1 mathematically show that Internet users invest too 
little in self-defense mechanisms relative to the socially efficient level, due 
to the presence of network externalities. These works just highlight the 
role of positive externalities in preventing users from investing optimally 
in self-defense investments. Thus, the challenge to improving overall 
network security lies in incentivizing end-users to invest in sufficient 
amount of self-defense investments inspite of the positive externalities 
they experience from other users investing in the network. In response 
to the challenge, the works in 1 1 8 1 1 1 9 1 modeled network externalities 
and showed that a tipping phenomenon is possible, i.e., in a situation 
of low level of self-defense, if a certain fraction of population decides 
to invest in self-defense mechanisms, it could trigger a large cascade of 
adoption in security features, thereby strengthening the overall Internet 
security. However, they did not state how the tipping phenomenon could 
be realized in practice. In a series of recent works |17||20], Lelarge and 
Bolot have stated that under conditions of no information asymmetry 
1 1 1 1 1 1 1 between the insurer and the insured, cyber-insurance incentivizes 
Internet user investments in self-defense mechanisms, thereby paving the 
path to trigger a cascade of adoption. They also show that investments 
in both self-defense mechanisms and insurance schemes are quite inter- 
related in maintaining a socially efficient level of security on the Internet. 

B. Tackling Information Asymmetry 

Inspite of Lelarge and Bolot proposing the role of cyber-insurance 
for networked environments in incentivizing increasing user security 
investments, its common knowledge that the market for cyber-insurance 
has not blossomed with respect to its promised potential. Most re- 
cent works|7||25| have attributed the underdeveloped market for cyber- 
insurance due to 1. interdependent security, 2. correlated risk, and 3. 
information asymmetries. Thus, the need of the hour is to develop cyber- 
insurance solutions targeting these three issues, and identify other factors 
that might play an important role in promoting a developed cyber- 
insurance market. The works in 1 10 1| 17 1|20||34| touch upon the notion of 
information asymmetry and the effect it has on the insurance parameters, 
however none of the works explicitly model information asymmetry. In 
relation to tackling information asymmetry, the authors in |10||17||25| 
propose the concept of premium differentiation and fines to promote 
cyber-insurance. Another approach to resolving information asymmetry 
is via security auditing J4J, where an auditing agency does an extensive 
introspection of the security behavior of an organization and passes on 
the information to an insurance agency, which in turn designs the optimal 
insurance contract based on the introspection report. However, there are 
privacy concerns associated with this approach when it comes to handling 
non-organizational users, and might pose regulatory constraints upon the 
audit agency in the first place. 

Based on existing works it is clear that tackling information asym- 
metry formally has been an unchartered territory in cyber-insurance 
research. Improving upon existing related works, we take a first step 
in this direction and propose a formal model to resolve the information 
asymmetry problem in distributed communication networks. Assuming 
that cyber-insurance is made mandatory [28 1, our model enables existence 
of cyber-insurance markets, i.e., the existence of market equilibria, under 
non-ideal insurance environments. To the best of our knowledge, this is 
the first model of its kind specific to Internet and distributed network 
environments. 



III. Model 

We structure this section in two parts. In the first part we de- 
scribe the network environment and user utility functions pertaining to 
any distributed communication network. In the second part we model 
information asymmetry in cyber-insurance. We use the terms 'user', 
'Internet user', and 'network user' interchangeably to denote users in any 
communication network having Internet access. We also interchangeably 
use the terms 'user' , 'client', and 'insured'. 

A. Network Structure 

We consider a set N = { 1 , , n} of n Internet users, where the 

connections between them form a graph G = (V, E), where Vij = 1 
(edge weight between nodes (users) i and j) if the utility of user i is 
affected by the security (self-defense) investment of user j, i being not 
equal to j, and otherwise. Let Ni(v) = {j\vij = 1} denote the set 
of all the one hop neighbors of i, where vt{0, l} nxn is a matrix of 
connections amongst nodes. We represent the degree of a node i by di, 
where di equals \Ni(v)\. 

B. User Payoffs 

We model the utility/payoff to each user i as Ui, which is a function 
of the security investments made by himself, his one hop neighbors, and 
his final wealth^ We assume that the cyber-insurer knows the utility 
function of its client^ and designs contracts based on it, and the type 
of adverse selection scenario (See next subsection.). Mathematically, 
Ui = Ui(Wi,Xi,~a? Ni(v))> where xn( v ) i s the vector of security 
investments of the one hop neighbors of user i, and Wi is the final wealth 
of user i. From the structure of user utility functions, we observe that 
two users having the same degree and final wealth will have the same 
utility function. We also model the concept of a positive externality as it 
influences user self-defense investment decisions. A positive externality 
to a user from its one hop neighbors results when the latter invest in 
security, thereby improving the individual security strength of the user. 
We represent the concept mathematically in the following manner: we 
say that a payoff function exhibits positive externalities if for each Ui 
and for all x > x', Ut(xi, "S", Wi) > Ui(xi,lt' ,Wi), where x and 
x' are the vectors of security investments of one hop neighbors of user 
i and Wi is the final wealth of user i. 

In scenarios where the security strength of a user i depends on the sum 
of investments of himself and other neighboring users, we mathematically 
formulate i's utility/payoff function as follows: 

{ \ 

Ui(Wi,Xi,lt NiM ) = f j Xi + X^2xj,Xi,Wi , (1) 

where /(•) is a non-decreasing function of "S", Xi, and Wi. A is a real 
scalar quantity which determines the magnitude of the positive externality 
experienced by user % due to the security investments made by his one-hop 
neighbors. 

In this paper we assume the utility functions of Internet users to 
be of the strategic substitute type exhibiting positive externalities. We 
say that a utility/payoff function exhibits strategic substitutes or is 
submodular if it exhibits the property of decreasing differences, i.e., 
U l {x l ,^,W l )-U l {x' l ,lt,W l ) < Uiixu-g^WiJ-Ui^Tt^WJ.The 
practical interpretation of a strategic substitute as applicable to this paper 
is that an increase in the security investments of a user's neighbors reduces 
the marginal utility of the user, thus de-incentivizing him from investing. 
This happens due to the positive externality a neighbor exerts on the user 
through his own investments. 

4 The final wealth is the net user wealth resulting after getting covered 
(uncovered) by a cyber-insurance policy in case of a loss (no-loss). 
5 Such knowledge can in practice be estimated via surveys. 



C. Modeling Information Asymmetry 

We assume two classes of users (insured users), one which has a 
high chance of facing risks and the other which has a low chance. We 
term these classes as 'LC' and 'HC respectively. Let 8, (1 — 9) be the 
proportion of users who run a high chance(low chance) of facing risk of 
size r respectively. However, on grounds of adverse selection the insurer 
cannot observe the class of any user. We consider two cases relevant to 
adverse selection in the Internet: 1) the insurer and/or the insured user 
have no knowledge about which risk class the insured falls iijf] (most 
pertinent w.r.t. the Internet and communication networks.) and 2) the 
insurer has no knowledge of a user's risk class but the user acquires 
this knowledge (through third-party agenciesQ before/after signing the 
contract but before it invests in self-defense investments. We assume 
that each user in class i t {LC, HC} invests an amount Xi in self- 
defense mechanisms after signing an insurance contract, which reduces its 
probability p; of being affected by Internet threats. We list the following 
mathematical properties related to our risk facing probability function p, 
for users in classes LC and HC. 

• p(x) is a twice continuously differentiable decreasing function with 
> p' LC (x) > p' HC (x) and p"(z;) > 0, i.e., investments by users 
in class LC are more effective in reducing the loss probability than 
equivalent investments by users in class HC. 

• Phc(x) > Plc(x)- 

• 1 > Phc(x) > Plc( x ) > 0, e [0, oo). 

We model moral hazard by assuming that the cyber-insurer cannot 
observe or have knowledge about the amount of investments made by the 
insured after signing the insurance contract. Regarding user investments, 
apart from the self-defense investments made by a user, we assume a 
certain minimum amount of base investments of value binv made by 
an Internet user of class i prior to signing insurance contracts, without 
which no user can be insured. Thus pi(binv) is the highest chance of 
risk a user of class i may face. 

The insurance company accounts for adverse selection and moral 
hazard and designs an insurance contracts of the form d = (zi,Cj), 
for all users i in class j e {LC, HC}, where z; is the premium and a is 
the net coverag^ for user i. An Internet user adopts the insurance contract 
and invests in self-defense mechanisms to achieve maximum benefit. We 
measure the benefit of users of a particular risk class i as a utility, which 
is expressed as a function of contract C; and self-defense investments 
Xi. We define the expected utility function for users in risk class i and 
facing a risk of value 70 as an expected utility of final wealth, and it is 
expressed as 

EUi(Ci,Xi) = A + B, (2) 

where 

A = Pi(xi)Ui(w - r + Ci,Xi,ll) 

and 

B = (1 - pi(xi))Ui(wo - Zi,x i: ~x*). 

Here WiQ is the initial wealth of user i and Xi is the amount of self-defense 
investment he makes and Ui() is an increasing continuously differentiable 
function (U'^Xi) > 0,U-'(xi) < 0) that denotes the utility of wealth. 
Differentiating Equation (1) w.r.t. Xi, we get the first order condition as 

- p'i(xi)[Ui(wi - z k ,Xi, ~x*) - Ui(w i0 - r + c k ,Xi, !?)} = (3) 

6 This situation may generally happen when the users do not provide truthful 
information to insurance agency questionnaires and both the insurer as well 
as the insured cannot estimate the value of correlated and interdependent risks 
posed to individual insureds. 

7 The third party agencies could be private organizations who might observe 
intrusions into user security, however such steps have regulatory and neutrality 
issues and thus are debatable in terms of practical implementation. We 
consider this case in the paper for modeling completeness. 

8 By the term 'net-coverage' we mean the total coverage minus the premium 
costs. Note that we do not include self-defense investments as part of initial 
wealth of a user, but include the costs for investing in self-defense in the 
utility function Ui for each user i. 

9 We assume an uniform value of risk for expositional simplicity. 



The first order condition generates the optimal self-defense investment, 
x° pt , for user i that maximizes his expected utility of final wealth. 

In the following sections we analyze optimal cyber-insurance contracts 
under the presence of moral hazard when 1) neither the insurer nor 
the insured has any information regarding the risk class of a user, 
2) the insurer does not have information regarding user class but the 
insured acquires information after signing the contract but before making 
self-defense investments, and (3) the insurer does not have information 
regarding user class but the insured acquires information before signing 
the contract. 

IV. Mechanisms For Alleviating Information 
Asymmetry 

In this section, we design three mechanisms to alleviate information 
asymmetry in cyber-insurance related to three different adverse selection 
scenarios mentioned in the previous section. For each mechanism, the 
outcome are the parameters of an optimal cyber-insurance contract, i.e., 
the coverage and the premium. 

A. Neither the Insurer Nor the Insured Has Information 

An Internet user i does not know his risk class and therefore he maxi- 
mizes his expected utility of final wealth by considering his probability of 
loss equal to an expected probability value of pf(x) = Ophc{ x ) + (1 — 
9)plc{ x ) an d solving Equation (3). a could be considered as the risk 
class that each user feels he is in, as he does not have perfect information 
about whether he is in class LC or f/cf^i We assume here that the 
values of plc( x ) an£ l Phc( x ) 3le common knowledge to the insurer 
and the insured. The cyber-insurer on the other hand, maximizes his 
profits by offering an optimal contract (Cf) opt = ((*? ) opt , (cf ) opt ). 
The optimization problem related to an insurer's profit is given as 

argmax^ cf Af _ pf p o [1 - pf (xf )zf - pf (xf)cf] 

subject to 

EU?((C?) P\ (xf) opt ) - EU?(0,Xio) > 0, (4) 
-pf'{xf)[U i {w m -zf,xf,^ a )-U i {w io -T+cf,xf,^ a )\ = 0, (5) 
-p?(x io )[U i (w io ,x?,l}°')-U i (w i o-r,x?,l} a )] = 0, (6) 

where Xio is the amount of self-defense investments by user i when 
no insurance is purchased. \f,pf, pi are the Lagrangian multipliers 
related to constraints (4), (5), and (6) respectively. Constraint (4) is the 
participation constraint {Individual Rationality) stating that the expected 
utility of final wealth of a user is atleast as much with cyber-insurance 
as without cyber-insurance. Constraints (5) and (6) state that Internet 
users will invest in optimal self-defense investments so as to maximize 
their utility of final wealth, and this is in exact accordance to what the 
cyber-insurer wants (i.e., to avoid moral hazard). 

The optimization problem presented in this sectior[3 is an example of 
a general principal-agent problem. The Internet users (agents) will act 
non-cooperatively as utility maximizers, whereas the principal's (cyber- 
insurer) problem is to design a mechanism that maximizes its utility 
by accounting for adverse selection and moral hazard on the client 
(agent) side. Thus, the situation represents a Bayesian game of incomplete 
information (SJ. According to Palfrey and Srivastava |30|, there exists an 
incentive-compatible direct revelation mechanism |37| for the problem 
implementable in private value models, where users do what the insurer 
desires (i.e., invest optimally in self-defense investments), provided the 
constraints in the optimization problem bind, and the users do not use 
weakly dominated strategies |8| in equilibrium. 

We have the following lemma stating the result related to the solution 
of the optimization problem. 

'"One could view a as an expected risk class/type a user feels he is in 
given that he does not know his actual risk type. 

11 We also note that the optimization problems in the forthcoming sections 
are all examples of general principal-agent problems. 



Lemma 1. The optimal cyber-insurance contract under situations 
when neither the insurer nor the insured have perfect information on the 
risk type of the client, induces a partial coverage at fair premiums. In 
addition, a pooling equilibrium (optimal) contract results for both high 
and low risk users. 

Proof Sketch: On route to solving our optimization problem, we 
derive the Lagrangian 1311 and first order conditions, and apply the 
Karush-Kuhn-Tucker (KKT) conditions. We omit the proof in the paper 
due to lack of space. Details of proof methodology can be found in |21 1. 
Lemma Implications: The solution to the optimization problem in the 
binding case tends to full insurance coverage as the utility function 
tends to become increasingly risk averse, and partial insurance coverage 
otherwise. It also generates a pooling equilibrium contracQ which is 
unique and entails partial cyber-insurance coverage at fair premiums. 
Thus, we infer that a partial insurance coverage is optimal for the 
cyber-insurer to provide to its clients as it accounts for the uncertainty 
of user risk types. Intuitively, a pooling equilibrium works as neither the 
insurer nor the insured has any information on user risk type and as a 
result the cyber-insurer is not at a disadvantage regarding gaining risk 
type information relative to the Internet users. The pooling equilibrium 
establishes the existence of a market for cyber-insurance. 

B. Insurer Has No Information, Insured Gets Information After 
Signing Contract 

In this scenario, we assume that the insurer does not have information 
about the risk class of a user and it cannot observe the risk class if the 
user obtains information from any third party agency. Since, the cyber- 
insurer is the first mover, it will account for the fact that users will be 
incentivized to take the help of a third party. 

Let EU"(Ci,Xi) be the expected utility of user i in risk class a 
for a contract d, when he cannot observe the risk class he is in. Let 
9EU HC (Ci,Xi) + (1 - 8)U HC (Ci,Xi) be the expected utility of the 
same user when he can get information about his risk class from a third 
party agency. Thus, we denote the value to user % of gaining information 
about his risk type w.r.t. contract d as VI(Ci), and it is defined for all 
6 e [0, 1] as 

VliCi) = eEU H c(C l ,x l ) + (l-e)EU„ c (C l ,x l )-EU°'(C l ,x t ). (7) 

We emphasize that VI(Ci) is zero if there is only type of risk class in 
the market. Now let a:y be the solution to Equation (3), for user i being 
in risk class j having contract C;. Since p' l q(-) < p' a {') < Phc(')' ^ or 
contract d, we have x\ c > xf > xf c . Thus, VI(d) > due to the 
following relationship 

EUi(Ci,x i:i ) > EUi(Ci,xf), je{LC,HC}. (8) 

The cyber-insurer maximizes its profits by offering an optimal contract 
Qopt _ t z op )C °P*^ -phe optimization problem related to an insurer's 
profit is given as 

argmax zi Ci Xj pJ pj [1 - p\ (x^Zi - p\ (»»)«*] 

10 j=LC,HC 

subject to 

EUj{C° pt ,x° pt ) - Eu{(0,x i0 ) > 0, je{LC,HC}, (9) 

— Pi (xi)[Ui(w i0 - Zi,Xi,x) — Ui(wio — r + Ci,Xi,lt)] = 0, Vj, (10) 

- P?' (4))[ u i(™«>, x h -£) - Ui(w i0 - r, x h -£)] = 0, j e {LC, HC}, 

(11) 

where Xio is the amount of self-defense investments when no insurance 
is purchased by user i. Xj , p\, p ] i0 are the Lagrangian multipliers related 
to constraints (9), (10), and (11) respectively. Constraint (11) is the 

12 A pooling equilibrium is one where the cyber-insurer has the same policy 
for both the classes (high and low risk) of users and the contract is in 
equilibrium. 



participation constraint (Individual Rationality) stating that the expected 
utility of final wealth of a user is atleast as much with cyber-insurance 
as without cyber-insurance. Constraints (10) and (11) state that Internet 
users will invest in optimal self-defense investments so as to maximize 
their utility of final wealth (moral hazard constraints). We have the 
following lemma stating the result related to the solution of the 
optimization problem. The proof of the lemma follows from a similar 
proof sketch as that for Lemma 1. 

Lemma 2. The optimal cyber-insurance contract for each user i 
induces a full coverage at fair premiums when VJ(Cj) = and induces 
partial coverage at fair premiums when VI(Ci) > 0. In addition, a 
pooling equilibrium (optimal) contract results for both high and low 
risk users. 

Lemma Implications: The solution to the optimization problem in 
the binding case results in full insurance coverage if VI(Ci) = and 
partial insurance coverage if VI(Ci) > 0. If VI(C k ) > 0, which is 
most likely the case, a user would prefer to have information on its 
risk class and accept contract C° v rather than accept contract (Cf)° pt 
(based on utility comparisons). Our optimization problem also generates 
a pooling equilibrium contract, which is unique, and entails partial 
coverage at fair premiums. Thus, we infer that the cyber-insurer finds its 
optimal to provide partial insurance coverage to its clients as it accounts 
for uncertainty of user risk types. Intuitively, a pooling equilibrium 
works as neither the insurer nor the insured has any information on 
user risk type before the user signs the contract, and as a result the 
cyber-insurer is not at a disadvantage with respect to gaining information 
on risk type relative to Internet users. 

C. Insurer Has No Information, Insured Obtains Information Prior 
to Signing Contract 

In this scenario, we assume that the insurer does not have information 
about the risk class of a user and it cannot observe the risk class if the 
user obtains information from any third party agency prior to signing 
the insurance contract. However, in this scenario a user that knows his 
risk type is at a significant advantage. Since, the cyber-insurer is the first 
mover, he will account for the fact that users will be incentivized to take 
the help of a third party. We consider the case where the user may acquire 
information about his risk type prior to signing the insurance contract, 
and based on the information he decides on the contracts and in turn his 
self-defense investments. We note here that users who remain uninformed 
will choose contract C^ c as it is beneficial for the users to imitate the 
the low risk type users than be of the 'expected' type. 

We denote the value of gaining information to a user i as VI = 
VI(C^ C , Vlf c ) and it is defined for all 9e [0, 1] as 



to constraints 13-17 respectively. Constraint (13) is the participation 
constraint stating that the expected utility of final wealth of a user 
is atleast as much with cyber-insurance as without cyber-insurance 
(Individual Rationality'). Constraint (14) is the incentive compatibility 
constraint, which states that users prefer to accept contracts that are 
designed to appeal to their types. Constraints (15), (16), and (17) state 
that Internet users will invest in optimal self-defense investments so as 
to maximize their utility of final wealth. We have the following lemma 
stating the result related to the solution of the optimization problem. 
The proof of the lemma follows from a similar proof sketch as that for 
Lemma 1. 

Lemma 3. The optimal cyber-insurance contract for each user i 
induces a partial coverage at fair premiums. In addition, a separating 
equilibrium (optimal) contract results for both high and low risk users. 

Lemma Implications: Our optimization problem generates a separating 
equilibrium contracQ which is unique and entails partial cyber- 
insurance coverage at fair premiums. Intuitively, a separating equilibrium 
works as the cyber-insurer is aware of the fact that Internet users have 
risk type information before they lay down the contracts and thus plans 
different contracts for different types. In terms of optimal contracts and 
cyber-insurer profits, the insurer is worse off than in the no-information 
case because in the latter case, the insurer extracts all user surplus, 
whereas in the former case, it extracts full surplus from the low risk 
type users but only extracts partial surplus from high risk type users. 
The separating equilibrium establishes the existence of a market for 
cyber-insurance. We now have the following theorem whose proof 
follows from lemmas 1, 2, and 3, and the fact that insurance purchase 
needs to be made mandatory for users |28|. 

Theorem 1. A market for cyber-insurance can be made to exist 
amongst risk-averse Internet users when (i) effective mechanism design 
is used to alleviate information asymmetry scenarios and (ii) it is 
mandatory for users to buy cyber-insurance. 

Comment: We note that in the optimization problems stated above, 
the output is only the optimal premium and coverage Through partial 
coverage we shift additional liability to users to increase their investment 
amounts (atop the optimal efforts enforced in the problem constraints), 
thereby leading to increased overall security. 

D. Effect of Topology on Contract Parameters 

In this section, we briefly present and analyze results related to the 
effect of user degrees on their cyber-insurance contract parameters. We 



have the following lemma relating user degrees with cyber-insurance 
yi — eijHC (jjHC X HC )+(1—9)EU LC (C^ c x LC )—EU a (C LC x LC ) covera g e - We omit the proof in the paper due to lack of space. However, 

the proof concept (sketch) relies simply on evaluating the first derivative 
and second derivative of the deductible expression in the contract. 



(12) 

The cyber-insurer maximizes its profits by offering an optimal contract 
Qopt _ ( 2 °p* ^ c° pt ). The optimization problem related to an insurer's 



profit is given as 



argmax 



subject to 



^ [1 - P\ (Xi)Zi - Pi(Xi)Ci 



j=LC,HC 



EU j (C opt ,x opt ) ■ 



EV\ (0, x i0 ) > 0, j e {LC, HC}, 



opt 



Lemma 4. The level of deductible (coverage) for each Internet 
user i on a risk of size r increases (decreases) in a concave (convex) 
manner with the degree of the user, i.e., < 0, Vi and > 0, Vi, 
under every adverse selection scenario. 

Lemma Implications: The intuition for Lemma 4 holding true is the 
fact that with increase in user degrees one gets well connected with 
his neighbors and invests less in self-defense investments but gains 
greater expected utility than his lesser connected counterparts [29|. This 
leads to a free riding phenomenon. Optimal cyber-insurance contracts 
for users derived in this paper accounts for this fact and introduces a 
control in terms of imposing higher deductibles (lesser coverage) to well 
0, j,ke{ LC, reconnected users, hence incentivizing them to invest more in self-defense 
(16) investments. 
0,je{LC,HC}, (17) 

A separating equilibrium is one where the cyber-insurer has different 
where x i0 is the amount of self-defense investments when no insurance insurance contracts for both the classes (high and low risk) of users and the 
is purchased. , 7? , p\ , p J i0 are the Lagrangian multipliers related contract is in equilibrium. 
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(13) 
(14) 



(x k )[Ui(w i0 -z k , Xi, ~£)-Ui(w i0 -r+c k , Xi, it)] 



{xio)[Ui(w i0 ) - Ui(w i0 - r)] 



0, je{LC, HC}, 
(15) 



V. Conclusion 

In this paper we used the principal-agent model in microeconomic 
theory to address the information asymmetry problem in cyber-insurance 
and proposed mechanisms to alleviate the problem. The optimal contracts 
derived from our theory accounts for the topological location of each 
user in a communication network, enforce Internet users to take more 
responsibility in protecting their computing systems, and incentivizes 
them to increasingly invest in self-defense mechanisms. This in turn 
increases the overall network security. Through our mechanisms we also 
showed the existence of single-cyberinsurer insurance markets for Internet 
security. As part of future work, we plan to target multi-insurer cyber- 
insurance markets. 
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